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(54) CIPHER PROCESSOR, IC CARD AND CIPHER PROCESSING METHOD 



(57) The present invention can be applied to a 
cipher processing apparatus, which includes a function 
F having a configuration of repeating process and inside 
of the function F. a function f having a configuration of 
repeating process is included. According to the inven- 
tion, the cipher processing apparatus is configured by 
registers 301 through 303 for temporarily holding data, 
selectors A through C, 31 1 through 313. and a function 
f operating circuit 323 for transforming data. An output 
data from the function f operating circuit 323 is held in 
the register C 303. and the selector C 313 selects either 
to repeat the data transformation by the function operat- 
ing circuit 323 or not. When a cipher processing appara- 
tus includes a function F having a configuration of 
repeating process and inside of the function F, a func- 
tion f having a configuration of repeating process is 
included, the cipher processing apparatus can be 
embodied efficiently, which enables to reduce the circuit 
scale and to save electric power. 
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Description 
Technical Field 

[0001] The present Invention relates to a cipher 
processing apparatus. In particular, to a small-sized 
cipher processing apparatus Installed in an IC (Inte- 
grated Circuit) card and so on. 

Background Art 

[0002] For a conventional related art of the invention. 
DES (Data Encryption Standard) of U. S. commercially 
used cipher, which Is a block cipher of secret key (com- 
mon key) cryptosystem, will be explained. 
[0003] A detail of DES processing Is described in such 
as Hans Eberl "A High-speed DES implementation for 
Network Applications". Advances in Cryptology — 
CRYPTO '92. Lecture Notes In computer Science 740, 
Springer- Verlag. 

[0004] Fig. 18 Is a flowchart showing DES encryption 
algorithm. 

[0005] In Fig. 18, reference numerals 1001 — 1004 
show operations using function F for data transforma- 
tion. Reference numerals 1011 — 1014 show XOR 
operations bit by bit. In the figure, an initial permutation 
and a final permutation are omitted. 
[0006] An operation will be explained. 
[0007] An input data 1 050 having 2 x n bits (In case of 
DES, 2 X 32 bits) is divided into two n-bit data 1051 and 
1052. The n-bIt data 1051 is output as n-bit data 1053 
without any transformation. The data 1051 is also Input 
to the function F 1001 to be transformed. The data 
transformed by the function F 1001 Is XORed with the 
other n-bIt data 1052 bit by bit by the XOR operation 
101 1 and the XORed result is output as n-bit data 1054. 
[0008] Hereinafter, operations are repeated by the 
functions F 1002, 1003, and 1004. the XOR operations 
1012, 1013, and 1014 and output data 1055 and 1056 
are output. The two n-bit data are united and output as 
2n-bitdata 1057. 

[0009] Fig. 19 shows an example of cipher processing 
apparatuses performing data transformation similar to 
the DES encryption as shown In the flowchart of Fig. 18. 
[0010] In Fig. 19, reference numerals 1 101 and 1 102 
show registers A and B for holding data. Reference 
numerals 1103 and 1104 are selectors A and B for 
selecting one of data. 1 1 05 denotes a function F operat- 
ing circuit for calculating the function F as data transfor- 
mation. 1106 denotes an XOR circuit. 1201 and 1202 
respectively show n-bit input data A and B. 1203 and 
1204 respectively show n-bit output data A and B. 
[001 1] An operation will be explained. 
[001 2] An Input data having 2 x n bits (in case of DES, 
2 X 32 bits) is divided Into two n-bIt input data A1201 
and B1202. The two Input data are respectively 
selected by the selectors A1 1 03 and 81 1 04 and held In 
the registers A1101 and B1104. The data held in the 



register A1101 is fed back to the selectors A1103 and 
B1 104 and Input to the function F operating circuit 1 105 
at the same time. After transformed by the function F 
operating circuit 1 105, the data is XORed by the XOR 
5 Circuit 1106 with the data held In the register B1102. 
The XORed result is fed back to the selectors All 03 
and B1104. 

[0013] Next, the selector A1 103 selects the XORed 
result of the XOR circuit 1106. the selector B selects 

10 data held in the register All 01, and the registers A1 001 
and B1002 are respectively updated by these selected 
data to hold therein. Then, similarly the operation, cor- 
responding to the operation through the functions F 
1002, 1003, 1004 and the XOR circuits 1012. 1013, 

15 1014 shown in Fig. 18, is repeated (looped) a neces- 
sary number of times, and the output data A1203 and 
B1204 are finally output. In case of DES, the operation 
will be repeated 16 times. 

[0014] This conventional related art is described in 
20 detail, for example, in Hans Eberl "A High-speed DES 
Implementation for Network Applications", Advances in 
Cryptology-CRYPTO '92, Lecture Notes in computer 
Science 740. Springer-Verlag. 

[001 5] In a cipher processing apparatus by the above 

25 method, when the apparatus is constructed by a plural- 
ity of the functions F having similar configuration for 
processing, it is possible to efficiently construct a 
processing circuit by using one circuit repeatedly. This 
enables to reduce the circuit scale and also save elec- 

30 trie power However, there Is a problem that when the 
function F Includes a smaller circuit having repeating 
process, the conventional configuration of the cipher 
processing apparatus does not efficiently reduce the cir- 
cuit scale or save electric power. 

35 [0016] The present Invention is provided to solve the 
above-mentioned problem. The Invention alms to obtain 
a cipher processing apparatus, which can be con- 
structed efficiently to reduce a circuit scale and save 
electric power even if the apparatus has a configuration 

40 of repeatedly processing the function F Including an 
internal smaller circuit configured by repeating process. 

Disclosure of the Invention 

45 [0017] According to the present invention, In a cipher 
processing apparatus performing a first data transfor- 
mation process on an input data a plurality of times by a 
first operating circuit, 

50 the first operating circuit comprises a loop process- 
ing circuit for performing a second data transforma- 
tion process a plurality of times: 
the loop processing circuit comprises a second 
operating circuit, a data holding circuit, and a 

55 selecting circuit to form a processing loop; 

the second operating circuit performs the second 

data transformation process; 

the data holding circuit tentatively holds the data on 
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which the second data transformation process was 
performed: and 

the selecting circuit selects one of to terminate and 
to continue the second data transformation process 
by the loop processing circuit. 

[0018] The second operating circuit comprises: 

a data dividing circuit dividing data input to the sec- 
ond operating circuit into a first divided data and a 
second divided data; 

a third operating circuit transforming the first 
divided data; 

an XOR circuit XORing an output data from the 
third operating circuit with the second divided data 
bit by bit; and 

a data uniting circuit uniting an output data from the 
XOR circuit and the second divided data. 

[0019] The selecting circuit inputs a data for the first 
data transformation process by the first operating circuit 
and a data held in the data holding circuit, and the 
selecting circuit selects the data held In the data holding 
circuit when a process by the loop processing circuit Is 
to be continued. 

[0020] The selecting circuit selects the data for the 
first data transformation process by the first operating 
circuit when a process by the processing loop circuit 
starts- 

[0021 ] The cipher processing apparatus further com- 
prises: 

a register A and a register B alternately holding the 
data for the first data transformation by the first 
operating circuit; 

two XOR circuits XORing bit by bit the data on 
which the first data transformation was performed 
by the first operating circuit with the data held in the 
register A and with the data held in the register B, 
respectively; 

a selector A and a selector B selecting one of the 
data on which the first data transformation was per- 
formed by a first operating unit and an XORed data 
by the XOR circuit to hold in the register A and the 
register B. respectively; and 
the selecting circuit alternately selects the register 
A and the register B to start the process of the loop 
processing circuit. 

[0022] The first operating circuit further performs a 
data transformation different from the second data 
tran^ormation process for the data on which the sec- 
ond data transformation was performed by a processing 
loop unit to output a transformed data. 
[0023] The second operating circuit comprises: 

m (m s 1) number of function operating circuits 
inputting identical data from the selecting circuit; 



and 

a selector with m inputs and one output for Inputting 
data operated by the m number of function operat- 
ing circuits and selecting one of the input data. 

5 

[0024] The cipher processing apparatus further com- 
prises: 

a function operating unit transforming data output 
10 from the selecting circuit; and 

a selector inputting data operated by the function 
operating unit and the data output from the select- 
ing circuit, and outputting one of the data. 

15 [0025] According to the present Invention, In a cipher 
processing method performing a first data transforma- 
tion for an input data a plurality of times by a first oper- 
ating step. 

20 the first operating step comprises a loop processing 
step performing a second data transformation at a 
plurality of times; 

the loop processing step comprises: 
a second operating step performing the second 
25 data transformation; 

a data holding step temporarily holding data on 
which the second data transformation was per- 
formed; and 

a selecting step for selecting either of to terminate 
30 and to continue the second data transformation by 
the loop processing step. 

[0026] The second operating step comprises: 

35 a data dividing step dividing data input to the sec- 
ond operating step into a first divided data and a 
second divided data; 

a third operating step transforming the first divided 
data; 

40 an XOR step XORing an output data from the third 
operating step with the second divided data bit by 
bit; and 

a data uniting step uniting an output data from the 
XOR step and the second divided data. 

45 

[0027] According to the present invention, an 10 (inte- 
grated circuit) card communicating data with a 
reader/writer comprises: 

50 a data receiving circuit receiving the data from the 
reader/writer; 

a data transmitting circuit transmitting the data to 
the reader/writer; and 

the cipher processing apparatus of the invention 
55 encrypting/decrypting the data. 

[0028] According to the present invention, an IC card . 
communicating data with a reader/writer comprises: 
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a data receiving circuit receiving the data from the 
reader/writer; 

a data transmitting circuit transmitting the data to 
the reader/writer; and 

the cipher processing apparatus of the invention 
encrypting/decrypting the data. 



third embodiment of the invention. 
Fig. 1 7 is a block diagram showing a basic configu- 
ration of an IC according to the third embodiment of 
the invention. 

5 Fig. 18 shows an encryption algorithm according to 

the conventional related art. 
Fig. 19 Is a block diagram showing a basic configu- 
ration of a cipher processing apparatus according 
to the conventional related art. 

10 

Best Mode for Carrying out the Invention 



Brief Description of the Drawings 
[0029] 

Fig. 1 shows an encryption algorithm in relation to a 
first embodiment of the present invention. 
Fig. 2 shows a configuration of a function used for 
an encryption algorithm in relation to the first 15 
embodiment of the present invention. 
Fig. 3 is a block diagram showing a basic configura- 
tion of a cipher processing apparatus according to 
the first embodiment of the invention. 
Fig. 4 is a flowchart showing one example of basic so 
operations of the cipher processing apparatus 
according to the first embodiment of the invention. 
Fig. 5 is a flowchart showing one example of basic 
operations of the cipher processing apparatus 
according to the first embodiment of the invention. 25 
Fig. 6 shows a configuration of the function used for 
an encryption algorithm in relation to the first 
emtXKliment of the present invention. 
Fig. 7 shows the encryption algorithm according to 
the first embodiment of the present invention. 30 
Fig. 8 shows a configuration of the function used for 
the encryption algorithm according to the first 
embodiment of the present invention. 
Rg. 9 is a block diagram showing a configuration of 
a second operating circuit according to the first 35 
embodiment of the present invention. 
Fig. 10 shows an encryption algorithm in relation to 
a second embodiment of the present invention. 
Fig. 1 1 shows a configuration of a function used for 
the encryption algorithm according to the second 40 
emlx>diment of the present invention. 
Fig. 12 is a block diagram showing a basic configu- 
ration of a cipher processing apparatus according 
to the second embodiment of the invention. 
Fig. 13 is a flowchart showing an example of basic 45 
operations of the cipher processing apparatus 
according to the second embodiment of the inven- 
tion. 

Fig. 1 4 is a flowchart showing one example of basic 
operations of the cipher processing apparatus so 
according to the second embodiment of the inven- 
tion. 

Fig. 15 is a flowchart showing an example of basic 
operations of the cipher processing apparatus 
according to the second embodiment of the inven- 55 
tion. 

Rg. 16 is a block diagram showing a basic configu- 
ration of a communication system according to a 



Embodiment 1 . 

[0030] A cipher processing apparatus according to 
one embodiment of the present invention will be 
explained referring to Figs. 1 through 3. 
[0031] Fig. 1 is a flowchart showing an encryption 
algorithm of a cipher processing apparatus according to 
one embodiment of the present invention. 
[0032] In Fig. 1, reference numerals 101 through 104 
show operations using functions F for data transforma- 
tion, arxJ reference numerals 111 through 114 show 
XOR operations bit by bit, 

[0033] Fig. 2 shows a configuration of operation using 
the function F, which is configured by three operations 
using functions f 201 through 203 and an operation 
using a function g 21 1 . 

[0034] An operation will be described hereinafter. 
[0035] An input data 150 having 2 x n bits is divided 
into two, namely, n-bit data 151 having upper digits of 
the input data arxJ n-bit data 152 having lower digits of 
the input data. The n-bit data 1 51 is output as n-bit data 
153 without any transformation, and the n-bit data 151 
is also transformed by the function F 101. The output 
data from the function F 101 is XORed with another n- 
bit data 152 by the XOR circuit 111 bit by bit and n-bit 
data 154 is output. In the function F, three operations 
using the functions f 201 through 203 are performed, an 
operation using the function g 21 1 is then performed 
and the result is output. 

[0036] Then, similarly, operations are repeated 
through the functions F 102. 103. 104, and XOR circuits 
112, 113. 114 and n-bit data 155. 156 are output. The 
two n-bit data are united and output as 2n-bit data 157. 
[0037] Rg. 3 shows a general configuration of the 
cipher processing apparatus embodying the algorithm 
for data transformation explained by referring to Figs. 1 
and 2. 

[0038] In Fig. 3, reference numerals 301 . 302 and 303 
respectively show a register A, a register B and a regis- 
ter C. Reference numerals 311. 312 and 313 respec- 
tively show a selector A. a selector B and a selector C. 
321 and 322 denote bit by bit XOR circuits. 323 denotes 
a function f operating circuit, which is one of configura- 
tional elements performing the function F operation. 324 
denotes a function g operating circuit, which is one of 
configuratlonal elements performing the function F 
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operation. 

[0039] The register C 303, the selector C 313, the 
function f operating circuit 323 and the function g oper- 
ating circuit 324 form a first operating circuit 100. The 
register C 303, the selector C 313. the function f operat- 5 
ing circuit 323 form a loop processing circuit 200. 
[0040] Figs. 4 and 5 are flowcharts showing an oper- 
ation of the circuits shown in Fig, 3. 
[0041 ] The operation will be explained by referring to 
Figs. 4 and 5. io 
[0042] The operation by the function F is performed by 
three-times operation of the function f operating circuit 
and once operation of the function g operating circuit. 
[0043] Data transformation at a first stage shown in 
Fig. 1 will be explained. is 
[0044] An input data having 2 x n bits is divided into 
two n-bit data, namely, an input data A 351 and an input 
data B 352. The input data are selected by the selector 
A 31 1 and the selector B 312, and held in the register A 
301 and the register B 302 (at step 4-1 ). 20 
[0045] Then, in the selector C 313. it is detected 
whether this is a process of an odd-numbered stage or 
a process of an even-numbered stage (at step 4-2), the 
data held in the register A 301 is selected (at step 4-4). 
and the selected data is transformed by the function f 25 
operating circuit 323 (at step 4-6). The output data from 
the function f operating circuit 323 is held in the register 
C 303 (at step 4-7). A first operation by the function f 
operating circuit ends with this step. 

[0046] Then, in the selector C 31 3. the data held in the 30 
register C 303 is selected (at step 4-8). and the selected 
data is transformed by the function f operating circuit 
323 (at step 4-6). The data output from the function f 
operating circuit 323 is held in the register C 303 (at 
step 4-7). With this step, a second operation by the 3S 
function f operating circuit ends. 
[0047] Further, in the selector C 31 3. the data held in 
the register C 303 is selected (at step 4-8). The selected 
data is transformed by the function f operating circuit 

323 (at step 4-6). and the transformed data is held in the 40 
register C 303 (at step 4-7). With this step, a third oper- 
ation by the function f operating circuit 323 ends. 

[0048] Next, in the selector C 313. the data held in the 
register C 303 is selected (at step 4-9). The selected 
data is transformed by the function g operating circuit 45 

324 and the result is output (at step 4-10). With this 
step, a whole operation by the function F terminates. 
[0049] Next, it Is detected whether this is a process of 
an odd-numbered stage or a process of an even -num- 
bered stage (at step 4-11). the data output from the so 
function g operating circuit 324 is fed back to be XORed 
with the data held in the register B 302 by the XOR cir- 
cuit 322 (at step 4-14). The XORed data is selected by 
the selector B 312 and the selected data is held in the 
register B 302 (at step 4-15). This step completes the ss 
first stage of the data transformation. 

[0050] Next, a second stage of the data transforma- 
tion will be explained. 



[0051 ] It is detected to be an even-numbered stage (at 
step 4-2), and the selector C 313 selects the data held 
in the register B 302 (at step 4-3). Then, the selected 
data is transformed by the function f operating circuit 
323 (at step 4-6). and the output data is held in the reg- 
ister C 303 (at step 4-7). A first operation by the function 
f operating circuit ends with this step. 
[0052] Then, in the selector C 31 3, the data held in the 
register C 303 is selected (at step 4-8), and the selected 
data is transformed by the function f operating circuit 
323 (at step 4-6). The data output from the function f 
operating circuit 323 is held in the register C 303 (at 
step 4-7). With this step, a second operation by the 
function f operating circuit 323 ends. 
[0053] Further, in the selector C 313, the data held in 
the register C 303 is selected (at step 4-8). The selected 
data is transformed by the function f operating circuit 

323 (at step 4-6), and the transformed data is held in the 
register C 303 (at step 4-7). With this step, a third oper- 
ation by the function f operating circuit 323 ends. 
[0054] Next, in the selector C 313, the data held in the 
register C 303 is selected (at step 4-9). The selected 
data is transformed by the function g operating circuit 

324 and the result is output (at step 4-10). With this 
step, a whole operation by the function F circuit termi- 
nates. 

[0055] Next, it is detected to be a process of an even- 
numbered stage (at step 4-11). the data output from the 
function g operating circuit 324 is fed back to be XORed 
with the data held in the register A 301 by the XOR cir- 
cuit 321 (at step 4-12). The XORed data is selected by 
the selector A 311 and the selected data is held in the 
register A 301 (at step 4-13). This step completes the 
second stage of the data transformation. 
[0056] Hereinafter, similar processes to the first stage 
of the data transformation and the second data transfor- 
mation will be alternately repeated a necessary number 
of times. 

[0057] Finally, the data held in the registers A 301 and 
B 302 are output as output data A 353 and output data 
B 354 as a result of the data transformation of the final 
stage (at step 4-19). 

[0058] As has been described, according to this inven- 
tion, the one function f operating circuit 323 can be used 
repeatedly by providing the register C 303 and the 
selector 0 313. The cipher processing apparatus does 
not need to include three function f operating circuits, 
but need to include only one function f operating circuit 
323, which reduces a circuit scale. 
[0059] Especially, the function F (the function f. the 
function g), used for the data transformation for cipher 
processing, is known to have an extremely complex 
configuration because the data transformation for cipher 
processing requires to use a function being strong 
against cryptanalysis. Hence, the reduction of the circuit 
scale according to the present invention effects a tot to 
the data transformation for cipher processing. 
[0060] According to the invention, it is not always 
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required to operate the register A 301, the register B 
302. the register C 303. the selector A 31 1 . the selector 
312, and the selector C 313. The processes can be per- 
formed with these circuits operating only when required, 
which enables the apparatus to save electric power. 
[0061] Accordingly, this invention takes a great effect 
when applied to a small apparatus such as an IC card. 
The invention can be applied not only to the iC card, but 
also to a reader/writer for the IC card. 
[0062] The function F is not limited to have the above 
configuration. For example, when the function F is con- 
figured by only repeating the operation of function f as 
shown in Fig. 6. the function g is not needed for the con- 
figuration of Fig. 3- In this case, the data selected by the 
selector C 313 is directly fed back as shown in Fig. 7. 
[0063] When the function f operating circuit 323 
includes m (m ^ 1) number of functions, which consti- 
tute in an arbitrary order, as shown in Fig. 8. the m 
number of functions are aligned in parallel at a place 
corresponding to the function f operating circuit 323 of 
Fig. 3. The data Is input to each of the m number of 
functions from the selector C 313. the output data from 
the m number of functions are input to the selector with 
m number of inputs and one output, and the selector 
selects one output data to be held in the register C 303 
as shown in Fig. 9. These operations are repeated a 
number of times corresponding to an arbitrary order of 
the m number of functions. 

Embodiment 2. 

[0064] A cipher processing apparatus according to 

another embodiment of the present invention will be 

explained referring to Figs, 10 through 14. 

[0065] Fig. 1 0 shows a flowchart of MISTY encryption 

algorithm. 

[0066] Details of MISTY is disclosed in, for example, 
Mitsuru Matsui "Block Encryption Algorithm MISTY", 
the Institute of Electronics, Information and Communi- 
cation Engineers, Technical Report ISEC 96-11 (1996- 
07). 

[0067] In Fig. 10, reference numerals 501 through 506 
denote operations by functions FL. reference numerals 
511 through 514 denote operations by functions FO. 
and 521 through 524 are XOR operations. 
[0068] Fig. 1 1 shows operations using the functions 
FO 511 through 514 of Fig. 10. 

[0069] As shown in Fig. 1 1 , in MISTY algorithm, trans- 
formation process, including functions F I 601 through 
603 and XOR operations 61 1 through 613, is repeated 
three times as operations by the functions FO 511 
through 514. 

[0070] Rg. 12 shows one embodiment of a cipher 
processing apparatus applying the data transformation 
process of MISTY of Figs. 10 and 11 according to the 
present invention. 

[0071] In the following, an operation of the encryption 
algorithm of Figs. 10 and 1 1 will be explained. 



[0072] An input data 550 having 2 x n bits is divided 
into two n-bit data, one having upper n digits of the input 
data 550 and the other having lower n digits of the input 
data 550, and the two divided data are input as an input 

5 data A 551 and an input data B 552. In case of MISTY, 
n=32. After transformed by the function FL 501 , the n-bit 
input data 551 is output as n-bit data 553, and is also 
transformed by the function FO 511. The other n-bit 
input data 552 is transformed by the function FL 502. 

10 The data transformed by the function FO 51 1 is XORed 
bit by bit by the XOR operation 521 with the output data 
from the function FL 502, and n-bit data 554 is output. In 
the function FO, operations by the functions Fl 601 
through 603 and the XOR operations 611 through 613 

75 are performed. Namely, the input 2m-bit data (n bits) 
650 is divided into two m-bit data 651 and 652. After 
transformed by the function Fl. the data 651 is XORed 
bit by bit by the XOR operation 61 1 with the data 652, 
and the XORed result is output as data 653. The data 

20 652 is output as data 654 without any transformation. 
Hereinafter, the above operations are repeated in three 
stages. Finally, two m-brt data are united and output as 
2m-bit (n bits) data 655. 

[0073] Next, an operation at a second stage will be 

25 described. 

[0074] The output data 554 supplied from the first 
stage is output without any transformation, and at the 
same time, is transformed by the function FO 512. The 
output data from the function FO 51 2 is XORed bit by bit 

30 by the XOR operation 522 with the other n-bit data 553, 
and the XORed result is output. 
[0075] Hereinafter, data transformation similar to the 
process of the first and second stages is repeated a 
necessary number of times, and n-bIt data 557 and 558 

35 are output. Finally, the output data is transformed by FL 
functions 505 and 506 into data, of which the upper dig- 
its and the lower digits are exchanged, the two n-bit data 
are united, and 2n-bit data 559 is output. 
[0076] Fig. 12 shows a general configuration of the 

40 Cipher processing apparatus embodying the data trans- 
formation algorithm explained by referring to Figs. 10 
and 11. 

[0077] In Fig. 12, reference numerals 701. 702. 703 
denote a register A, a register B, and a register 0, 

45 respectively Reference numerals 711, 712, 713, 714 
denote a selector A, a selector B. a selector C, and a 
selector D. 721 , 722, 723 show XOR circuits, 724 shows 
a function Fl operating circuit for data transformation, 
and 725 shows a function FL operating circuit for data 

so transformation. 751 is an input data A, 752 is an input 
data B, 753 is an output data A, and 754 is an output 
data B. 

[0078] Here, the register C 703, the selector C 713, 
the function Fl operating circuit 724 and the XOR circuit 
55 723 constitute a first operating circuit 1 01 for a first data 
transformation. The register C 703. the selector C 713. 
the function Fl operating circuit 724, and the XOR circuit 
723 constitute a loop processing circuit 201 . 
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[0079] Figs. 13 through 15 are flowcharts explaining 
an operation of the cipher processing apparatus shown 
in Fig. 12. 

[0080] The operation will be described by referring to 
Figs. 13 through 15. 

[0081] First, an Input data having 2 x n bits is divided 
into two n-bit data, and input as an input data A 751 and 
an input data B 752. In case of MISTY, n=32. The two 
input data are respectively selected by the selector A 
71 1 , the selector B 712 and respectively held in the reg- 
ister A 701 . the register B 702 (at step 8-1). 
[0082] Next, in the selector C 713. it is detected 
whether this is a process of an odd-numbered stage or 
a process of an even-numbered stage (at step 8-2). and 
the data held in the register A 701 is selected (at step 8- 
3). Then, the selected data is transformed by the func- 
tion FL operating circuit 725 (at step 8-4). and the output 
data is selected by the selector D 714 (at step 8-5). Fur- 
ther, the selected data is selected by the selector A 71 1 
(at step 8-6). and is held in the register A 701 (at step 8- 
7). 

[0083] Next, in the selector C 71 3, the data held in the 
register B 702 is selected (at step 8-8). The selected 
data is transformed by the function FL operating circuit 
725 (at step 8-9). and the output data is selected by the 
selector D 714 (at step 8-10). Further, the selected data 
is selected by the selector B 712 (at step 8-11). and is 
held in the register B (at step 8-12). 
[0084] Next, in the selector C 713, the data held In the 
register A 701 is selected (at step 8-13). Then, the 
selected data (2 x m bits) Is divided Into two m-bit data, 
and one m-bit data is output as an output data without 
any transformation. The other m-bit data is input to the 
function Fl operating circuit 724 to be transformed. The 
transformed data is XORed bit by bit by the XOR circuit 
723 with the other m-bit data, and the XORed result and 
the output m-bIt data are united (at step 8-14). The 
united output data is held in the register C 703 (at step 
8-15). With this step, a first process including the func- 
tion Fl operating circuit 724 has been completed. 
[0085] Next, in the selector C 713. the data held in the 
register C 703 is selected (at step 8-16). The selected 
data (2 X m bits) is divided into two m-bit data, and one 
m-bit data is output as an output data without any trans- 
formation. The other m-bit data is Input to the function Fl 
operating circuit 724 to be transformed. The trans- 
formed data is XORed bit by bit by the XOR circuit 723 
with the other m-bit data, and the XORed result and the 
output m-bit data are united (at step 8-14), The united 
output data is held in the register 0 703 (at step 8-15). 
With this step, a second process including the function 
Fl operating circuit 724 has been completed. 
[0086] Next, in the selector C 71 3. the data held in the 
register C 703 is selected (at step 8-16). The selected 
data (2 X m bits) is divided into two m-bit data, and one 
m-bit data is output as an output data without any trans- 
formation. The other m-bit data is input to the function Fl 
operating circuit 724 to be transformed. The trans- 



formed data is XORed bit by bit by the XOR circuit 723 
with the other m-bit data, and the XORed result and the 
output m-bit data are united (at step 8-14). The united 
output data is held in the register C 703 (at step 8-15). 

5 With this step, a third process including the function Fl 
operating circuit 724 has been completed. 
[0087] Next, in the selector C 71 3. the data held in the 
register C 703 is selected (at step 8-16), and the 
selected data is selected by the selector D 71 4 (at step 

10 8-18). Then, it is detected whether this is a process of 
an odd -numbered stage or a process of an even -num- 
bered stage (at step 8-19), the selected data is fed back, 
and is XORed by the XOR circuit 722 with the data held 
in the register B 702 (at step 8-20). The output data from 

15 the XOR circuit B 702 is selected by the selector B 712 
(at step 8-21). and is held in the register B 702 (at step 
8-22). With this step, the data transformation process of 
the first stage terminates. 

[0088] Next, a data transformation process corre- 

20 sponding to the data transformation process of the sec- 
ond stage shown in Fig. 10 is performed. 
[0089] Rrst. in the selector C 713, it is detected to be 
an even-numbered stage (at step 8-2), and the data 
held in the register B 702 is selected (at step 8-24). 

25 [0090] The selected data (2 x m bits) is divided Into 
two m-bit data, and one m-bit data is output as an output 
data without any transformation. The other m-bit data is 
input to the function Fl operating circuit 724 to be trans- 
formed. The transformed data is XORed bit by bit by the 

30 XOR circuit 723 with the other m-bit data, and the 
XORed result and the output m-bIt data are united (at 
step 8-14). The united output data Is held in the register 
C 703 (at step 8-15). With this step, a first process 
including the function Fl operating circuit 724 has been 

35 completed. 

[0091 ] Next, in the selector 0 713. the data held in the 
register 0 703 is selected (at step 8-16). The selected 
data (2 X m bits) Is divided into two m-bit data, and one 
m-bit data is output as an output data without any trans- 

40 formation. The other m-bit data is input to the function Fl 
operating circuit 724 to be transformed. The trans- 
formed data is XORed bit by bit by the XOR circuit 723 
with the other m-bit data, and the XORed result and the 
output m-bit data are united (at step 8-14). The united 

45 output data is held in the register 0 703 (at step 8-15). 
With this step, a second process including the function 
Fl operating circuit 724 has been completed. 
[0092] Next, in the selector 0 713. the data held in the 
register C 703 is selected (at step 8-16). The selected 

so data (2 x m bits) is divided into two m-bit data, and one 
m-bit data is output as an output data without any trans- 
formation. The other m-bit data is input to the function Fl 
operating circuit 724 to be transformed. The trans- 
formed data is XORed bit by bit by the XOR circuit 723 

55 with the other m-bit data, and the XORed result and the 
output m-bit data are united (at step 8-14). The united 
output data is held in the register C 703 (at step 8-15).. 
Wrth this step, a third process including the function Fl 
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operating circuit 724 has been completed. 
[0093] Next, in the selector C 713. the data held in the 
register C 703 is selected (at step 8-16), and the 
selected data is selected by the selector D 714 (at step 
8-18). Then, it is detected to be an even-numbered 5 
stage (at step 8-19). the selected data is fed back, and 
is XORed bit by bit by the XOR circuit 721 with the data 
held in the register A 701 (at step 8-25). The output data 
from the XOR circuit A 721 is selected by the selector A 
71 1 (at step 8-26), and is held in the register A 701 (at io 
step 8-27). With this step, the data transformation proc- 
ess of the second stage terminates. 
[0094] Hereinafter, data transformation process simi- 
lar to the data transformation processes of the first 
stage and the second stage is repeated alternately a is 
necessary number of times. MISTY performs up to a 
transformation process corresponding to the transfor- 
mation process of an eighth stage. 
[0095] Then, a process of step 8-28 is performed. At 
step 8-28, the above steps 8-3 through 8-12 are per- 20 
formed. First, in the selector C 713, the data held in the 
register A 701 is selected (at step 8-3). Next, the 
selected data is transformed by the function FL operat- 
ing circuit 725 (at step 8-4). and the output data is 
selected by the selector D 71 4 (at step 8-5). Further, the 25 
selected data is selected by the selector A 71 1 (at step 
8-6). and is held in the register A 701 (at step 8-7). 
[0096] Next, in the selector C 71 3. the data held in the 
register B 702 is selected (at step 8-8). The selected 
data is transformed by the function FL operating circuit 30 
725 (at step 8-9), the output data is selected by the 
selector D 714 (at step 8-10). Further, the selected data 
is selected by the selector B 712 (at step 8-11). and is 
held in the register B (at step 8-12). 

[0097] Finally, the data held in the register A 701 and 35 
the register B 702 are output as an output data A 753 
and an output data B 754 (at step 8-29). 
[0098] According to this embodiment, the cipher 
processing apparatus does not need to include three 
function Fl operating circuits and three XOR circuits 40 
even when the functions FO 511 through 514 of each 
stage has such a configuration as sho\wn in Fig. 1 1 . It is 
enough for the cipher processing apparatus to include 
only one function F! operating circuit and one XOR cir- 
cuit, which enables to reduce a circuit scale. Further, 45 
the cipher processing apparatus does not need to 
include a plurality of circuits for the functions FL 501 
through 504 even when the cipher algorithm has a con- 
figuration as shown in Fig. 1 0. It is enough for the cipher 
processing apparatus to include only one function FL 50 
operating circuit, which also enables to reduce a circuit 
scale. 

[0099] In case of MISTY of this embodiment, a func- 
tion used for the function Fl and the function FL should 
be strong against cryptanalysis, so that the function has 55 
an extremely complex configuration. Hence, the reduc- 
tion of the circuit scale according to the present inven- 
tion is quite effective. 



[0100] Further, as clearly understood by the above 
description of the embodiment, it is not always required 
to operate the registers A through C, and the selectors 
A through D. The process can be performed with these 
circuits operating only when required, which takes a 
great effect on saving electric power. 
[0101] Accordingly, it is very effective to apply this 
invention to a small apparatus such as an IC card. The 
invention can be applied not only to the IC card, but also 
to a readerAwriter for the IC card. 

Embodiment 3. 

[01 02] Figs. 1 6 and 1 7 show general configurations of 
communication system of one embodiment of the 
present invention. 

[0103] In Figs. 16 and 17. a reference numeral 91 
shows a reader/writer, a reference numeral 92 shows an 
IC (integrated circuit) card, and 93 shows an IC of the IC 
card 92. The IC 93 includes configurational elements: a 
transmitter/receiver 94 for transmitting/receiving com- 
munication data; a CPU (central processing unit) 95 for 
controlling the apparatus; a memory 96 for storing data 
and program, etc.; and a cipher processing apparatus 
97 for encrypting/decrypting a communication data. The 
IC 93 includes the transmitter/receiver 94. the CPU 95. 
the memory 96, and the cipher processing apparatus 97 
as configurational elements. 

[0104] The cipher processing apparatus described in 
the first or the second embodiment is applied to the 
cipher processing apparatus 97. 
[0105] In this communication system, the encrypted 
data is transmitted. Namely, in the IC card 92. the trans- 
mitter/receiver 94 transmits data encrypted by the 
cipher processing apparatus 97 to the reader/writer 91 . 
The transmitter/receiver 94 also receives data transmit- 
ted from the reader/writer 91 , and the received data is 
decrypted by the cipher processing apparatus 97 to 
implement communication. 

[0106] In this case, communication between the 
reader/writer 91 and the IC card 92 can be either con- 
nected or unconnected. 

Industrial Applicability 

[01 07] As has been described, according to the inven- 
tion, in the communication system using encrypted 
data, the circuit scale of the cipher processing appara- 
tus can be reduced and the electric power can be 
saved. 

[0108] Further, an IC card can be effectively config- 
ured by applying the cipher processing apparatus of the 
Invention. The reduction of the circuit scale and the sav- 
ing electric power has been performed in the IC card. 

Claims 

1. A cipher processing apparatus performing a first 
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data transformation process on an input data a plu- 
rality of times by a first operating circuit, wherein: 

the first operating circuit comprises a loop 
processing circuit for performing a second data 
transformation process a plurality of times: 
wherein the loop processing circuit comprises 
a second operating circuit, a data holding cir- 
cuit, and a selecting circuit to form a processing 
loop; 

wherein the second operating circuit performs 
the second data transformation process; 
the data holding circuit tentatively holds the 
data on which the second data transformation 
process was performed; and 
the selecting circuit selects one of to terminate 
and to continue the second data transformation 
process by the loop processing circuit. 

The cipher processing apparatus of claim 1, 
wherein the second operating circuit comprises: 

a data dividing circuit dividing data input to the 
second operating circuit into a first divided data 
and a second divided data; 
a third operating circuit transforming the first 
divided data; 

an XOR circuit XORing an output data from the 
third operating circuit with the second divided 
data bit by bit; and 

a data uniting circuit uniting an output data from 
the XOR circuit and the second divided data. 

The cipher processing apparatus of claim 1, 
wherein the selecting circuit inputs a data for the 
first data transformation process by the first operat- 
ing circuit and a data held in the data holding circuit, 
and the selecting circuit selects the data held in the 
data holding circuit when a process by the loop 
processing circuit is to be continued. 

The cipher processing apparatus of claim 3. 
wherein the selecting circuit selects the data for the 
first data transformation process by the first operat- 
ing circuit when a process by the processing loop 
circuit starts. 

The cipher processing apparatus of claim 4, further 
comprising: 

a register A and a register B alternately holding 
the data for the first data transformation by the 
first operating circuit; 

two XOR circuits XORing bit by bit the data on 
which the first data transformation was per- 
formed by the first operating circuit with the 
data held in the register A and with the data 
held in the register B, respectively; 



a selector A and a selector B selecting one of 
the data on which the first data transformation 
was performed by a first operating unit and an 
XORed data by the XOR circuit to hold in the 
5 register A and the register B. respectively; and 

wherein the selecting circuit alternately selects 
the register A and the register 8 to start the 
process of the loop processing circuit. 

10 6. The cipher processing apparatus of claim 1, 
wherein the first operating circuit further performs a 
data transformation different from the second data 
transformation process for the data on which the 
second data transformation was performed by a 

15 processing loop unit to output a transformed data. 

7. The cipher processing apparatus of claim 1, 
wherein the second operating circuit comprises: 



m (m ^ 1) number of function operating circuits 
inputting identical data from the selecting cir- 
cuit; and 

a selector with m inputs and one output for 
inputting data operated by the m number of 
function operating circuits and selecting one of 
the input data. 

8. The cipher processing apparatus of claim 2, further 
comprising: 

a function operating unit transforming data out- 
put from the selecting circuit; and 
a selector Inputting data operated by the func- 
tion operating unit and the data output from the 
selecting circuit, and outputting one of the data. 

9. A cipher processing method performing a first data 
transformation for an input data a plurality of times 
by a first operating step, wherein: 

the first operating step comprises a loop 
processing step performing a second data 
transformation at a plurality of times; 
wherein the loop processing step comprises: 
a second operating step performing the second 
data transformation; 

a data holding step temporarily holding data on 
which the second data transformation was per- 
formed; and 

a selecting step for selecting either of to termi- 
nate and to continue the second data transfor- 
mation by the loop processing step. 

10. Tlie cipher processing method of claim 9, wherein 
the second operating step comprises: 

a data dividing step dividing data input to the. 
second operating step into a first divided data 



25 



30 



35 



40 



45 



50 



55 



BNSDOCID: <EP 0923062A1J_> 



17 EP 0 923 062 A1 18 



and a second divided data; 
a third operating step transforming the first 
• divided data; 
an XOR step XORing an output data from the 
third operating step with the second divided 
data bit by bit; and 

a data uniting step uniting an output data from 
the XOR step and the second divided data. 

11. An IC (integrated circuit) card communicating data 
with a reader/writer comprising: 



10 



a data receiving circuit receiving the data from 
the reader/writer; 

a data transmitting circuit transmitting the data is 
to the reader/writer; and 
the cipher processing apparatus of claim 1 
encrypting/decrypting the data. 

12. An IC card communicating data with a reader/writer 20 
comprising: 

a data receiving circuit receiving the data from 
the reader/writer; 

a data transmitting circuit transmitting the data 25 
to the reader/writer; and 
the cipher processing apparatus of claim 2 
encrypting/decrypting the data. 
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